AppGuard 4.x 32/64 Bit - Releases

Thank you.

 

The big thing is to run a good process monitor to make sure the malware is not spawning any processes. AG may allow signed malware to spawn a process guarded in medium mode of protection. It's the equivalent of allowing it to run with limited rights, or sandboxing it. If the process is able to spawn child processes then that is not good. I would expect to not see any process spawned in locked down mode since even signed executables are not permitted to run. The strange thing about this malware is it's supposedly not signed so medium mode of protection should not have allowed it to run either. I was sent some details about the method used to bypass AG, but I will leave that up to BRN to report because I may just get it wrong. I'm going to test it for myself soon. I have a cold right now, and don't feel so well. I may test it tonight if i'm feeling better.

 

No problem.

 

Hope you get better soon

 

Thanks!

 

We are aware of the malware tips report and are looking into it. I hope to have an update for you all on Monday. I will say that are initial findings show that it is not quite as bad as it looks (because malware isn't going to be able to "double-click" on a desktop shortcut - it will be initiated by another process). If this attack originates from a Guarded Browser (the most likely entrance into your system) or Outlook for instance, AppGuard does contain the process so that it cannot alter system components or access private folders.

 

I thought that would be the case, but had not tested it for myself yet. That's good information to know.

 

Excellent, it's good to know that Sandboxie 4.14 does fully protect against CTB-Locker (even on default level). The only thing that needs to be done is to fix this issue with AppGuard and everything is secure again.

 

it seems you all look at the wrong point, the CTB-Locker was just an example. The issue is that with some trick AppGuard allows to execute executable files that are in the user space and it could be used in the wild in the future. it works in Locked Down level too, maybe the locker isn't able to encrypt the files, but it's executed properly

If I understand it correctly, such sample could be attached to spam emails in the future (in an archive) and if the shortcut is ran (double-click), AppGuard wouldn't block it because it's not launched from the browser. Am I right?

 

Barb_C, when you report back on Monday could you please bring some details explaining the underlying mechanics that failed?

 

Sure, it doesn't make sense to be so specific as to compromise AppGuard. And up to that point it is valuable in terms of understanding how AppGuard works in order to be able to use it most effectively.

 

Thank you malware1, you have a point here. It might be exploited in t he wild the way you said and it's really worrying...

 

Hi Barb,

Is AG 3.5.6.0 also affected?

 

Does AG 4 Protect the MBR yet like AG 3 does.

 

No, it does not. The only protection if offers the MBR is by not allowing the malware to execute in the first place.

 

Is everyone else seeing this after updating to the latest version of java? I have been getting this for about two weeks now. The only thing in the programdata\oracle\java\javapath folder are shortcuts for java, javaw, and javaws. Whatever java is attempting to do is being blocked. Maybe java is trying to check for an update, I don't know. I'm not sure if this could cause java to become corrupted, or if I should be concerned. It is getting blocked every session. I'm using Windows 7X64 Ultimate.

02/01/15 07:04:24 Prevented process <dismapi.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:27 Prevented process <api-ms-win-downlevel-kernel32-l1-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:27 Prevented process <api-ms-win-downlevel-advapi32-l1-1-1.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:27 Prevented process <api-ms-win-downlevel-ole32-l1-1-1.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:27 Prevented process <api-ms-win-downlevel-kernel32-l2-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:27 Prevented process <api-ms-win-downlevel-user32-l1-1-1.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:28 Prevented process <api-ms-win-downlevel-advapi32-l4-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

02/01/15 07:04:28 Prevented process <api-ms-win-core-winrt-l1-1-0.dll | C:\Windows\System32\rundll32.exe> from launching from <c:\programdata\oracle\java\javapath>.

 

Hi all. Thanks to malware1 for being persistent in getting some of the nuances of his test through my thick head. I believe that we fully understand the extent of the problem and we are fixing it. I would prefer not to go through the techniques used until we have an update ready and deployed to all of our customers. I would hope that those that know the underlying details would keep it confidential so that the bad guys don't try to leverage it for a targeted attack.

I will share that the problem occurs because of an inconsistency in the way that the OS is treating certain types of process launches and not so much a bug in AppGuard. Our current strategy is actually to enhance AppGuard to remedy this OS anomaly (vs. a bug fix).

I can assure that this is priority 1 for our developers and test lab and that we hope to have an update later this week or early next week for a short beta test. If the beta test goes well, the general release will take place shortly after. If anything changes with respect to this plan, I'll post in this forum.

 

Great news indeed ! Much thanks Barb_C.

 

True, but aside the fact that v4.x has no MBRguard, I also prefer the two-way MemoryGuard from v3.x

 

I gave it another try, and even on a machine without AppGuard, I'm unable to run Tor Browser from Program Files unless I run it as Administrator, so I think it is more an issue with TBB than AG.

 

The bug fix (or as I prefer to call it "the enhancement") will not be ported back to version 3. The main change required will be in the driver which *may* work with version 3. Our test lab will not test compatibility for sure, but if I get feedback from the developer that it might work, I'll let you know.